From: Matt Caswell Date: Thu, 12 Oct 2023 14:42:22 +0000 (+0100) Subject: Fix a use-after-free in qrx_proces_pkt X-Git-Tag: openssl-3.2.0-beta1~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1f8a8c1de90ebdb4f3c9dbbf3d1329e3f025e946;p=thirdparty%2Fopenssl.git Fix a use-after-free in qrx_proces_pkt When calling qrx_relocate_buffer, both the rxe and the pointer to the token may be changing locations. We have to use a temporary copy of the token pointer to avoid referencing the old location of the rxe. Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22368) --- diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index 6756ddb151c..c75b4e93be0 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -939,10 +939,19 @@ static int qrx_process_pkt(OSSL_QRX *qrx, QUIC_URXE *urxe, * * Relocate token buffer and fix pointer. */ - if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL - && !qrx_relocate_buffer(qrx, &rxe, &i, &rxe->hdr.token, - rxe->hdr.token_len)) - goto malformed; + if (rxe->hdr.type == QUIC_PKT_TYPE_INITIAL) { + const unsigned char *token = rxe->hdr.token; + + /* + * This may change the value of rxe and change the value of the token + * pointer as well. So we must make a temporary copy of the pointer to + * the token, and then copy it back into the new location of the rxe + */ + if (!qrx_relocate_buffer(qrx, &rxe, &i, &token, rxe->hdr.token_len)) + goto malformed; + + rxe->hdr.token = token; + } /* Now remove header protection. */ *pkt = orig_pkt;